Differences

This shows you the differences between two versions of the page.

--- app:tlsfingerprint [2017/11/29 23:02] – [What is TLS Fingerprinting] veera
+++ app:tlsfingerprint [2018/03/04 13:27] (current) – veera
@@ Line 1: / Line 1: @@
-~~Title: SJLJSADJA ~~
+~~Title: TLS Fingerprinting using Trisul ~~
 ====== TLS Fingerprinter ======
@@ Line 45: / Line 45: @@
 ==== Analysis of TLS Fingerprints ====
-What are you going to do with these prints. There are a few options
+There are two actionable things you can do with these prints
   * **Malware prints**  - These are hard to come by  but if you can get a few prints from malware clients. You can flag them quickly. These will likely evade IDS because they use TLS to connect to presumably well known C&C servers with valid certificates etc.
   * **Anomaly detection** : If you can track known prints,then you can build a large Database over a period of time. After that you can send unseen prints into a "Triage state" where a human can look into it.
-In both analysis paths,we think TLS Prints is a valuable piece of intel, especially given we are moving to pervasive TLS.
-Lets look at what you can do with TrisulNSM and the new TLS Prints App.
@@ Line 101: / Line 97: @@
 ===== Programatically resolving TLS Prints =====
-This App dumps all fingerprints along with the parameters used to compute them into a log file. This allows us to programatically resolve unknown fingerprints.
+This App dumps all fingerprints along with the parameters used to compute them into a log file. This allows us to programatically resolve unknown fingerprints. We released a TRP Ruby script to [[app:auto_fingerprint|programatically resolve TLS Prints using Web Server Access Logs]].